chore(deps): bump the npm_and_yarn group across 2 directories with 6 updates by dependabot[bot] · Pull Request #535 · herodevs/cli

dependabot · 2026-04-14T15:14:47Z

Bumps the npm_and_yarn group with 5 updates in the / directory:

Package	From	To
basic-ftp	`5.1.0`	`5.2.2`
picomatch	`4.0.3`	`4.0.4`
picomatch	`2.3.1`	`2.3.2`
rollup	`4.57.1`	`4.60.1`
tar	`7.5.7`	`7.5.13`
undici	`7.22.0`	`7.25.0`

Bumps the npm_and_yarn group with 1 update in the /e2e/fixtures/npm/simple directory: bootstrap.

Updates basic-ftp from 5.1.0 to 5.2.2

Release notes

Sourced from basic-ftp's releases.

5.2.2

Fixed: Improve control character rejection, fixes GHSA-6v7q-wjvx-w8wg.

5.2.1

Fixed: Reject control character injection attempts using paths. See GHSA-chqc-8p9q-pq6q.

5.2.0

Changed: Skip files with invalid name in downloadToDir.

Changelog

Sourced from basic-ftp's changelog.

5.2.2

Fixed: Improve control character rejection, fixes GHSA-6v7q-wjvx-w8wg.

5.2.1

Fixed: Reject control character injection attempts using paths. See GHSA-chqc-8p9q-pq6q.

5.2.0

Changed: Skip files with invalid name in downloadToDir. Fixes security vulnerability CVE-2026-27699, see GHSA-5rq4-664w-9x2c.

Commits

e9d09d6 Bump version
20327d3 Move prevention of control character injection to more central place
ba40f9d Update dev dependencies
6b0008b Bump version
2ecc8e2 Reject control character injection attempts using paths
515d21f Update security policy and reporting instructions
9744254 Link to security advisory
5d41e45 Bump version
49c2e73 Update dependencies
2a2a0e6 Skip invalid filenames
Additional commits viewable in compare view

Maintainer changes

This version was pushed to npm by patrickjuchli, a new releaser for basic-ftp since your current version.

Install script changes

This version adds prepare script that runs during installation. Review the package contents before updating.

Updates picomatch from 4.0.3 to 4.0.4

Release notes

Sourced from picomatch's releases.

4.0.4

This is a security release fixing several security relevant issues.

What's Changed

Fix for CVE-2026-33671

Fix for CVE-2026-33672

Full Changelog: micromatch/picomatch@4.0.3...4.0.4

Commits

e5474fc Publish 4.0.4
4516eb5 Merge commit from fork
5eceecd Merge commit from fork
0db7dd7 Run benchmark again against latest minimatch version (#161)
9500377 docs: clarify what brace expansion syntax is and isn't supported (#134)
2661f23 fix typo in globstars.js test name (#138)
1798b07 docs: fix makeRe example (#143)
9d76bc5 chore: undocument removed options (#146)
e4d718b Remove unused time-require (#160)
38dffeb chore(deps): pin dependencies (#158)
Additional commits viewable in compare view

Updates picomatch from 2.3.1 to 2.3.2

Release notes

Sourced from picomatch's releases.

4.0.4

This is a security release fixing several security relevant issues.

What's Changed

Fix for CVE-2026-33671

Fix for CVE-2026-33672

Full Changelog: micromatch/picomatch@4.0.3...4.0.4

Commits

e5474fc Publish 4.0.4
4516eb5 Merge commit from fork
5eceecd Merge commit from fork
0db7dd7 Run benchmark again against latest minimatch version (#161)
9500377 docs: clarify what brace expansion syntax is and isn't supported (#134)
2661f23 fix typo in globstars.js test name (#138)
1798b07 docs: fix makeRe example (#143)
9d76bc5 chore: undocument removed options (#146)
e4d718b Remove unused time-require (#160)
38dffeb chore(deps): pin dependencies (#158)
Additional commits viewable in compare view

Updates rollup from 4.57.1 to 4.60.1

Release notes

Sourced from rollup's releases.

v4.60.1

4.60.1

2026-03-30

Bug Fixes

Resolve a situation where side effect imports could be dropped due to a caching issue (#6286)

Pull Requests

#6286: fix: skip dropping side-effects on namespaceReexportsByName cache hit (#6274) (@littlegrayss, @TrickyPi)

#6317: chore(deps): pin dependencies (@renovate[bot], @lukastaegert)

#6318: chore(deps): update msys2/setup-msys2 digest to cafece8 (@renovate[bot], @lukastaegert)

#6319: chore(deps): update minor/patch updates (@renovate[bot], @lukastaegert)

#6320: chore(deps): pin dependency typescript to v5 (@renovate[bot], @lukastaegert)

#6321: chore(deps): update openharmony-rs/setup-ohos-sdk action to v1 (@renovate[bot], @lukastaegert)

#6322: fix(deps): update swc monorepo (major) (@renovate[bot], @lukastaegert)

#6323: chore(deps): lock file maintenance (@renovate[bot])

#6324: chore(deps): lock file maintenance (@renovate[bot], @lukastaegert)

v4.60.0

4.60.0

2026-03-22

Features

Support source phase imports as long as they are external (#6279)

Pull Requests

#6279: feat: external only Source Phase imports support (@guybedford, @lukastaegert)

v4.59.1

4.59.1

2026-03-21

Bug Fixes

Fix a crash when using lazy dynamic imports with moduleSideEffects:false (#6306)

Pull Requests

#6281: fix(deps): update minor/patch updates (@renovate[bot], @lukastaegert)

#6282: chore(deps): update github artifact actions (major) (@renovate[bot], @lukastaegert)

#6283: chore(deps): update dependency nyc to v18 (@renovate[bot], @lukastaegert)

#6284: fix(deps): update swc monorepo (major) (@renovate[bot])

#6285: chore(deps): lock file maintenance (@renovate[bot])

... (truncated)

Changelog

Sourced from rollup's changelog.

4.60.1

2026-03-30

Bug Fixes

Resolve a situation where side effect imports could be dropped due to a caching issue (#6286)

Pull Requests

#6286: fix: skip dropping side-effects on namespaceReexportsByName cache hit (#6274) (@littlegrayss, @TrickyPi)

#6317: chore(deps): pin dependencies (@renovate[bot], @lukastaegert)

#6318: chore(deps): update msys2/setup-msys2 digest to cafece8 (@renovate[bot], @lukastaegert)

#6319: chore(deps): update minor/patch updates (@renovate[bot], @lukastaegert)

#6320: chore(deps): pin dependency typescript to v5 (@renovate[bot], @lukastaegert)

#6321: chore(deps): update openharmony-rs/setup-ohos-sdk action to v1 (@renovate[bot], @lukastaegert)

#6322: fix(deps): update swc monorepo (major) (@renovate[bot], @lukastaegert)

#6323: chore(deps): lock file maintenance (@renovate[bot])

#6324: chore(deps): lock file maintenance (@renovate[bot], @lukastaegert)

4.60.0

2026-03-22

Features

Support source phase imports as long as they are external (#6279)

Pull Requests

#6279: feat: external only Source Phase imports support (@guybedford, @lukastaegert)

4.59.1

2026-03-21

Bug Fixes

Fix a crash when using lazy dynamic imports with moduleSideEffects:false (#6306)

Pull Requests

#6281: fix(deps): update minor/patch updates (@renovate[bot], @lukastaegert)

#6282: chore(deps): update github artifact actions (major) (@renovate[bot], @lukastaegert)

#6283: chore(deps): update dependency nyc to v18 (@renovate[bot], @lukastaegert)

#6284: fix(deps): update swc monorepo (major) (@renovate[bot])

#6285: chore(deps): lock file maintenance (@renovate[bot])

#6290: chore(deps): update minor/patch updates (@renovate[bot], @lukastaegert)

#6291: chore(deps): update dependency @shikijs/vitepress-twoslash to v4 (@renovate[bot])

#6292: chore(deps): lock file maintenance (@renovate[bot])

... (truncated)

Commits

ae871d7 4.60.1
51f8f60 fix: skip dropping side-effects on namespaceReexportsByName cache hit (#6274)...
ca55406 chore(deps): pin dependency typescript to v5 (#6320)
fe50d86 chore(deps): pin dependencies (#6317)
42785ff chore(deps): update minor/patch updates (#6319)
65e82a9 chore(deps): update msys2/setup-msys2 digest to cafece8 (#6318)
c336205 chore(deps): update openharmony-rs/setup-ohos-sdk action to v1 (#6321)
b25d25e fix(deps): update swc monorepo (major) (#6322)
119abdb chore(deps): lock file maintenance (#6324)
5598a66 chore(deps): lock file maintenance (#6323)
Additional commits viewable in compare view

Updates tar from 7.5.7 to 7.5.13

Commits

d6611ae 7.5.13
119c401 fix(extract): prevent raced symlink writes outside cwd
2a294d3 7.5.12
01082a4 fix: reject top promise on floating addFilesAsync rejections
dd1c36a linting
35a1ffe doc: more clarity in security warning
bf776f6 7.5.11
f48b5fa prevent escaping symlinks with drive-relative paths
97cff15 docs: more security info
2b72abc 7.5.10
Additional commits viewable in compare view

Maintainer changes

This version was pushed to npm by isaacs, a new releaser for tar since your current version.

Install script changes

This version adds prepare script that runs during installation. Review the package contents before updating.

Updates undici from 7.22.0 to 7.25.0

Release notes

Sourced from undici's releases.

v7.25.0

What's Changed

Full Changelog: nodejs/undici@v7.24.8...v7.25.0

v7.24.8

What's Changed

fix: backport 401 stream-backed body fix to v7.x by @mcollina in nodejs/undici#5006

Full Changelog: nodejs/undici@v7.24.7...v7.24.8

v7.24.7

What's Changed

docs: update broken links in file "Dispatcher.md" by @samuel871211 in nodejs/undici#4924

doc: remove unused parameter redirectionLimitReached by @samuel871211 in nodejs/undici#4933

test: skip flaky macOS Node 20 cookie fetch cases by @mcollina in nodejs/undici#4932

fix(types): align Response with DOM fetch types by @theamodhshetty in nodejs/undici#4867

fix(types): Fix clone method type declaration to be an instance method rather than instance property by @mistval in nodejs/undici#4925

test: skip IPv6 tests when IPv6 is not available by @mcollina in nodejs/undici#4939

fix: correctly handle multi-value rawHeaders in fetch by @mcollina in nodejs/undici#4938

ignore AGENTS.md by @mcollina in nodejs/undici#4942

New Contributors

@samuel871211 made their first contribution in nodejs/undici#4924

@mistval made their first contribution in nodejs/undici#4925

Full Changelog: nodejs/undici@v7.24.6...v7.24.7

v7.24.6

What's Changed

fix(test): client wasm compatible with clang 22 by @rozzilla in nodejs/undici#4909

fix(mock): improve error message when intercepts are exhausted by @travisbreaks in nodejs/undici#4912

fix(websocket): support open diagnostics over h2 by @mcollina in nodejs/undici#4921

fix: assume http/https scheme for scheme-less proxy env vars by @travisbreaks in nodejs/undici#4914

fix(cache): check Authorization on request headers per RFC 9111 §3.5 by @metalix2 in nodejs/undici#4911

fix: wrap kConnector call in try/catch to prevent client hang by @veeceey in nodejs/undici#4834

docs: clarify fetch and FormData pairing by @mcollina in nodejs/undici#4922

fix: support Connection header with connection-specific header names per RFC 7230 by @mcollina in nodejs/undici#4775

fix: avoid prototype collisions in parseHeaders by @mcollina in nodejs/undici#4923

build(deps-dev): bump typescript from 5.9.3 to 6.0.2 by @dependabot[bot] in nodejs/undici#4926

test: auto-init WPT submodule by @mcollina in nodejs/undici#4930

New Contributors

@rozzilla made their first contribution in nodejs/undici#4909

@veeceey made their first contribution in nodejs/undici#4834

Full Changelog: nodejs/undici@v7.24.5...v7.24.6

... (truncated)

Commits

12d9045 Bumped v7.25.0 (#5025)
7a6f7fe Bumped v7.24.8 (#5020)
1f85ae4 fix: avoid 401 failures for stream-backed request bodies (#4941) (#5006)
c661067 chore: update v7.x maintenance release flow
84f23e2 Bumped v7.24.7 (#4947)
a770b10 ignore AGENTS.md (#4942)
6acd19b fix: correctly handle multi-value rawHeaders in fetch (#4938)
1da1c74 test: skip IPv6 tests when IPv6 is not available (#4939)
04cb773 fix(types): Fix clone method type declaration to be an instance method rather...
5145a7c fix(types): align Response with DOM fetch types (#4867)
Additional commits viewable in compare view

Updates bootstrap from 3.1.1 to 5.0.0

Release notes

Sourced from bootstrap's releases.

v5.0.0

Highlights

#32155: Updated make-col() mixin to generate equal columns when no size is specified #32763: Added new color-scheme() mixin #33389: Dropdown menus now have option become clickable #33453: Added new docs footer #33548: Offcanvas header components are now vertically aligned #33549: Added offcanvas-top modifier #33634: Added support for .dropdown-items wrapped in <li>s #33626: Fix v5 regressions in tab dropdown functionality

🚀 Features

#32763: Add color-scheme mixin

#33389: Dropdown — Add option to make the dropdown menu clickable

#33549: Add offcanvas-top modifier

🎨 CSS

#32155: Add equal column mixin

#32763: Add color-scheme mixin

#33292: Make accordion icon rotation more natural

#33411: Fix validation feedback icon in select multiple

#33478: Make .nav-link color consistent when using buttons

#33482: Dropdown — Apply positioning only when Popper is not used

#33548: Vertically align offcanvas header components

#33549: Add offcanvas-top modifier

#33550: Spinner alignment changes

#33598: Hide validation icons from multiple selects

#33600: Have $form-check-input-border's default derive from $black

#33607: Reduce color-scheme complexity

#33642: use :read-only css selector instead [readonly] for consistency

#33658: fix: use list-group variable instead of alert

#33736: accordion: fix border-top on Firefox

☕️ JavaScript

#32439: Decouple BackDrop from modal

#33245: Decouple Modal's scrollbar functionality

#33249: Simplify Modal Config

#33250: Simplify ScrollSpy config

#33310: fix: make EventHandler better handle mouseenter/mouseleave events

#33389: Dropdown — Add option to make the dropdown menu clickable

#33429: Remove element event listeners through base component

#33451: Add missing things in hide method of dropdown

#33456: Use our isDisabled util on dropdown

#33466: Refactor dropdown's hide functionality

#33479: Fix dropdown escape propagation

#33496: Use cached noop function

... (truncated)

Commits

bf09367 Release v5.0.0 (#33647)
48ae5a7 Rewrite migration guide (#33834)
f086572 refactor(docs): Added form file input variables (#33833)
1a54286 Fix doc typo and Bootstrap Icons link (#33832)
e2df73f Update migration guide for some v5 changes (#33829)
1e6356a Neutralise more words from placeholder text (#33731)
6633845 Bump eslint-config-xo from 0.35.0 to 0.36.0 (#33646)
cb38744 Tweak toast docs (#33810)
c2ff225 Bump rollup from 2.46.0 to 2.47.0 (#33818)
c090ea2 Bump @babel/preset-env from 7.14.0 to 7.14.1 (#33819)
Additional commits viewable in compare view

Maintainer changes

This version was pushed to npm by mdo, a new releaser for bootstrap since your current version.

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

@dependabot rebase will rebase this PR
@dependabot recreate will recreate this PR, overwriting any edits that have been made to it
@dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
@dependabot ignore <dependency name> major version will close this group update PR and stop Dependabot creating any more for the specific dependency's major version (unless you unignore this specific dependency's major version or upgrade to it yourself)
@dependabot ignore <dependency name> minor version will close this group update PR and stop Dependabot creating any more for the specific dependency's minor version (unless you unignore this specific dependency's minor version or upgrade to it yourself)
@dependabot ignore <dependency name> will close this group update PR and stop Dependabot creating any more for the specific dependency (unless you unignore this specific dependency or upgrade to it yourself)
@dependabot unignore <dependency name> will remove all of the ignore conditions of the specified dependency
@dependabot unignore <dependency name> <ignore condition> will remove the ignore condition of the specified dependency and ignore conditions
You can disable automated security fix PRs for this repo from the Security Alerts page.

…updates Bumps the npm_and_yarn group with 5 updates in the / directory: | Package | From | To | | --- | --- | --- | | [basic-ftp](https://github.com/patrickjuchli/basic-ftp) | `5.1.0` | `5.2.2` | | [picomatch](https://github.com/micromatch/picomatch) | `4.0.3` | `4.0.4` | | [picomatch](https://github.com/micromatch/picomatch) | `2.3.1` | `2.3.2` | | [rollup](https://github.com/rollup/rollup) | `4.57.1` | `4.60.1` | | [tar](https://github.com/isaacs/node-tar) | `7.5.7` | `7.5.13` | | [undici](https://github.com/nodejs/undici) | `7.22.0` | `7.25.0` | Bumps the npm_and_yarn group with 1 update in the /e2e/fixtures/npm/simple directory: [bootstrap](https://github.com/twbs/bootstrap). Updates `basic-ftp` from 5.1.0 to 5.2.2 - [Release notes](https://github.com/patrickjuchli/basic-ftp/releases) - [Changelog](https://github.com/patrickjuchli/basic-ftp/blob/master/CHANGELOG.md) - [Commits](patrickjuchli/basic-ftp@v5.1.0...v5.2.2) Updates `picomatch` from 4.0.3 to 4.0.4 - [Release notes](https://github.com/micromatch/picomatch/releases) - [Changelog](https://github.com/micromatch/picomatch/blob/master/CHANGELOG.md) - [Commits](micromatch/picomatch@4.0.3...4.0.4) Updates `picomatch` from 2.3.1 to 2.3.2 - [Release notes](https://github.com/micromatch/picomatch/releases) - [Changelog](https://github.com/micromatch/picomatch/blob/master/CHANGELOG.md) - [Commits](micromatch/picomatch@4.0.3...4.0.4) Updates `rollup` from 4.57.1 to 4.60.1 - [Release notes](https://github.com/rollup/rollup/releases) - [Changelog](https://github.com/rollup/rollup/blob/master/CHANGELOG.md) - [Commits](rollup/rollup@v4.57.1...v4.60.1) Updates `tar` from 7.5.7 to 7.5.13 - [Release notes](https://github.com/isaacs/node-tar/releases) - [Changelog](https://github.com/isaacs/node-tar/blob/main/CHANGELOG.md) - [Commits](isaacs/node-tar@v7.5.7...v7.5.13) Updates `undici` from 7.22.0 to 7.25.0 - [Release notes](https://github.com/nodejs/undici/releases) - [Commits](nodejs/undici@v7.22.0...v7.25.0) Updates `bootstrap` from 3.1.1 to 5.0.0 - [Release notes](https://github.com/twbs/bootstrap/releases) - [Commits](twbs/bootstrap@v3.1.1...v5.0.0) --- updated-dependencies: - dependency-name: basic-ftp dependency-version: 5.2.2 dependency-type: indirect dependency-group: npm_and_yarn - dependency-name: picomatch dependency-version: 4.0.4 dependency-type: indirect dependency-group: npm_and_yarn - dependency-name: picomatch dependency-version: 2.3.2 dependency-type: indirect dependency-group: npm_and_yarn - dependency-name: rollup dependency-version: 4.60.1 dependency-type: indirect dependency-group: npm_and_yarn - dependency-name: tar dependency-version: 7.5.13 dependency-type: indirect dependency-group: npm_and_yarn - dependency-name: undici dependency-version: 7.25.0 dependency-type: indirect dependency-group: npm_and_yarn - dependency-name: bootstrap dependency-version: 5.0.0 dependency-type: direct:production dependency-group: npm_and_yarn ... Signed-off-by: dependabot[bot] <support@github.com>

dependabot · 2026-04-14T15:51:22Z

Looks like these dependencies are updatable in another way, so this is no longer needed.

dependabot bot added dependencies Pull requests that update a dependency file javascript Pull requests that update javascript code labels Apr 14, 2026

dependabot bot requested a review from a team as a code owner April 14, 2026 15:14

dependabot bot added dependencies Pull requests that update a dependency file javascript Pull requests that update javascript code labels Apr 14, 2026

dependabot bot closed this Apr 14, 2026

dependabot bot deleted the dependabot/npm_and_yarn/npm_and_yarn-44bd878f7d branch April 14, 2026 15:51

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

chore(deps): bump the npm_and_yarn group across 2 directories with 6 updates#535

chore(deps): bump the npm_and_yarn group across 2 directories with 6 updates#535
dependabot[bot] wants to merge 1 commit intomainfrom
dependabot/npm_and_yarn/npm_and_yarn-44bd878f7d

dependabot bot commented on behalf of github Apr 14, 2026 •

edited

Loading

Uh oh!

dependabot bot commented on behalf of github Apr 14, 2026

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

0 participants

Conversation

dependabot bot commented on behalf of github Apr 14, 2026 • edited Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

5.2.2

5.2.1

5.2.0

5.2.2

5.2.1

5.2.0

4.0.4

What's Changed

4.0.4

What's Changed

v4.60.1

4.60.1

Bug Fixes

Pull Requests

v4.60.0

4.60.0

Features

Pull Requests

v4.59.1

4.59.1

Bug Fixes

Pull Requests

4.60.1

Bug Fixes

Pull Requests

4.60.0

Features

Pull Requests

4.59.1

Bug Fixes

Pull Requests

v7.25.0

What's Changed

v7.24.8

What's Changed

v7.24.7

What's Changed

New Contributors

v7.24.6

What's Changed

New Contributors

v5.0.0

Highlights

🚀 Features

🎨 CSS

☕️ JavaScript

Uh oh!

dependabot bot commented on behalf of github Apr 14, 2026

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

0 participants

dependabot bot commented on behalf of github Apr 14, 2026 •

edited

Loading